MITRE ATT&CK April 2019 Update

MITRE has released an April 2019 update to its ATT&CK framework. It’s been a year since the last major update featuring a new tactic. There are a number of changes for this year: the most major being the addition of a 12th Tactic, Impact, which contains 14 new Techniques. There are also 7 new Techniques under existing Tactics as well as a number of other minor changes.

Impact

The Impact Tactic covers integrity and availability attacks against enterprise systems. The 14 Techniques included in this update are as follows:

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

T1486 describes behavior most commonly associated with ransomware; and, given that 39% of all identified malware in 2018 was classified as ransomware, this Technique is a welcome update.